PERFORCE change 97283 for review
Todd Miller
millert at FreeBSD.org
Tue May 16 19:14:42 UTC 2006
http://perforce.freebsd.org/chv.cgi?CH=97283
Change 97283 by millert at millert_p4 on 2006/05/16 19:13:46
A port of libsepol 1.12.4 to SEBSD
Obtained from: selinux.sourceforge.net
Affected files ...
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/COPYING#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/ChangeLog#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/Makefile#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/VERSION#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/Makefile#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/avtab.h#4 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/boolean_record.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/booleans.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/conditional.h#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/constraint.h#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/context.h#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/context_record.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/debug.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/ebitmap.h#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/flask.h#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/flask_types.h#4 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/handle.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/hashtab.h#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/iface_record.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/interfaces.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/mls.h#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/mls_types.h#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/module.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/node_record.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/nodes.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/policydb.h#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/policydb/avrule_block.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/policydb/avtab.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/policydb/conditional.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/policydb/constraint.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/policydb/context.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/policydb/ebitmap.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/policydb/expand.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/policydb/flask.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/policydb/flask_types.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/policydb/hashtab.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/policydb/hierarchy.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/policydb/link.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/policydb/mls_types.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/policydb/module.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/policydb/policydb.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/policydb/services.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/policydb/sidtab.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/policydb/symtab.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/port_record.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/ports.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/roles.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/sepol.h#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/services.h#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/sidtab.h#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/symtab.h#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/user_record.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/users.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/man/Makefile#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/man/man3/sepol_check_context.3#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/man/man3/sepol_genbools.3#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/man/man3/sepol_genusers.3#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/man/man8/chkcon.8#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/man/man8/genpolbools.8#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/man/man8/genpolusers.8#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/Makefile#3 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/assertion.c#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/av_permissions.h#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/avrule_block.c#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/avtab.c#4 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/boolean_internal.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/boolean_record.c#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/booleans.c#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/conditional.c#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/constraint.c#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/context.c#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/context.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/context_internal.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/context_record.c#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/debug.c#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/debug.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/dso.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/ebitmap.c#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/expand.c#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/genbools.c#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/genusers.c#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/handle.c#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/handle.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/hashtab.c#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/hierarchy.c#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/iface_internal.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/iface_record.c#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/interfaces.c#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/libsepol.map#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/link.c#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/mls.c#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/mls.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/module.c#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/module_internal.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/node_internal.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/node_record.c#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/nodes.c#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/policydb.c#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/policydb_convert.c#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/policydb_internal.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/policydb_public.c#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/port_internal.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/port_record.c#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/ports.c#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/private.h#3 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/roles.c#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/services.c#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/sidtab.c#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/symtab.c#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/user_internal.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/user_record.c#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/users.c#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/util.c#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/write.c#4 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/utils/Makefile#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/utils/chkcon.c#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/utils/genpolbools.c#2 edit
Differences ...
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/avtab.h#4 (text+ko) ====
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/conditional.h#2 (text+ko) ====
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/constraint.h#2 (text+ko) ====
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/context.h#2 (text+ko) ====
@@ -1,131 +1,31 @@
+#ifndef _SEPOL_CONTEXT_H_
+#define _SEPOL_CONTEXT_H_
-/* Author : Stephen Smalley, <sds at epoch.ncsc.mil> */
+#include <sepol/context_record.h>
+#include <sepol/policydb.h>
+#include <sepol/handle.h>
-/* FLASK */
+/* -- Deprecated -- */
-/*
- * A security context is a set of security attributes
- * associated with each subject and object controlled
- * by the security policy. Security contexts are
- * externally represented as variable-length strings
- * that can be interpreted by a user or application
- * with an understanding of the security policy.
- * Internally, the security server uses a simple
- * structure. This structure is private to the
- * security server and can be changed without affecting
- * clients of the security server.
- */
+extern int sepol_check_context(
+ const char *context);
-#ifndef _CONTEXT_H_
-#define _CONTEXT_H_
+/* -- End deprecated -- */
-#include <sepol/ebitmap.h>
+extern int sepol_context_check(
+ sepol_handle_t* handle,
+ const sepol_policydb_t* policydb,
+ const sepol_context_t* context);
-#include <sepol/mls_types.h>
+extern int sepol_mls_contains(
+ sepol_handle_t* handle,
+ const sepol_policydb_t* policydb,
+ const char* mls1,
+ const char* mls2,
+ int* response);
-/*
- * A security context consists of an authenticated user
- * identity, a role, a type and a MLS range.
- */
-typedef struct context_struct {
- uint32_t user;
- uint32_t role;
- uint32_t type;
-#ifdef CONFIG_SECURITY_SELINUX_MLS
- mls_range_t range;
-#endif
-} context_struct_t;
-
-
-#ifdef CONFIG_SECURITY_SELINUX_MLS
-
-static inline void mls_context_init(context_struct_t * c)
-{
- memset(&c->range, 0, sizeof(c->range));
-}
-
-static inline int mls_context_cpy(context_struct_t * dst,
- context_struct_t * src)
-{
- int rc;
-
- dst->range.level[0].sens = src->range.level[0].sens;
- rc = ebitmap_cpy(&dst->range.level[0].cat, &src->range.level[0].cat);
- if (rc)
- goto out;
-
- dst->range.level[1].sens = src->range.level[1].sens;
- rc = ebitmap_cpy(&dst->range.level[1].cat, &src->range.level[1].cat);
- if (rc)
- ebitmap_destroy(&dst->range.level[0].cat);
-out:
- return rc;
-}
-
-static inline int mls_context_cmp(context_struct_t * c1,
- context_struct_t * c2)
-{
- return ((c1->range.level[0].sens == c2->range.level[0].sens) &&
- ebitmap_cmp(&c1->range.level[0].cat,&c2->range.level[0].cat) &&
- (c1->range.level[1].sens == c2->range.level[1].sens) &&
- ebitmap_cmp(&c1->range.level[1].cat,&c2->range.level[1].cat));
-}
-
-static inline void mls_context_destroy(context_struct_t * c)
-{
- ebitmap_destroy(&c->range.level[0].cat);
- ebitmap_destroy(&c->range.level[1].cat);
- mls_context_init(c);
-}
-
-#else
-
-static inline void mls_context_init(context_struct_t *c __attribute__ ((unused)))
-{ }
-
-static inline int mls_context_cpy(context_struct_t * dst __attribute__ ((unused)),
- context_struct_t * src __attribute__ ((unused)))
-{ return 0; }
-
-static inline int mls_context_cmp(context_struct_t * c1 __attribute__ ((unused)),
- context_struct_t * c2 __attribute__ ((unused)))
-{ return 1; }
-
-static inline void mls_context_destroy(context_struct_t * c __attribute__ ((unused)))
-{ }
-
+extern int sepol_mls_check(
+ sepol_handle_t* handle,
+ const sepol_policydb_t* policydb,
+ const char* mls);
#endif
-
-static inline void context_init(context_struct_t * c)
-{
- memset(c, 0, sizeof(*c));
-}
-
-static inline int context_cpy(context_struct_t * dst,
- context_struct_t * src)
-{
- dst->user = src->user;
- dst->role = src->role;
- dst->type = src->type;
- return mls_context_cpy(dst, src);
-}
-
-static inline void context_destroy(context_struct_t * c)
-{
- c->user = c->role = c->type = 0;
- mls_context_destroy(c);
-}
-
-static inline int context_cmp(context_struct_t * c1,
- context_struct_t * c2)
-{
- return ((c1->user == c2->user) &&
- (c1->role == c2->role) &&
- (c1->type == c2->type) &&
- mls_context_cmp(c1, c2));
-}
-
-#endif /* _CONTEXT_H_ */
-
-/* FLASK */
-
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/ebitmap.h#2 (text+ko) ====
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/flask.h#2 (text+ko) ====
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/flask_types.h#4 (text+ko) ====
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/hashtab.h#2 (text+ko) ====
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/mls.h#2 (text+ko) ====
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/mls_types.h#2 (text+ko) ====
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/policydb.h#2 (text+ko) ====
@@ -1,327 +1,130 @@
+#ifndef _SEPOL_POLICYDB_H_
+#define _SEPOL_POLICYDB_H_
-/* Author : Stephen Smalley, <sds at epoch.ncsc.mil> */
+#include <stddef.h>
+#include <stdio.h>
-/* Updated: Frank Mayer <mayerf at tresys.com> and Karl MacMillan <kmacmillan at tresys.com>
- *
- * Added conditional policy language extensions
- *
- * Copyright (C) 2003 - 2004 Tresys Technology, LLC
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation, version 2.
- */
+#include <sepol/handle.h>
-/* FLASK */
+struct sepol_policy_file;
+typedef struct sepol_policy_file sepol_policy_file_t;
-/*
- * A policy database (policydb) specifies the
- * configuration data for the security policy.
- */
+struct sepol_policydb;
+typedef struct sepol_policydb sepol_policydb_t;
-#ifndef _POLICYDB_H_
-#define _POLICYDB_H_
+/* Policy file public interfaces. */
-#include <stdio.h>
+/* Create and free memory associated with a policy file. */
+extern int sepol_policy_file_create(sepol_policy_file_t **pf);
+extern void sepol_policy_file_free(sepol_policy_file_t *pf);
-#include <sepol/flask_types.h>
-#include <sepol/symtab.h>
-#include <sepol/avtab.h>
-#include <sepol/context.h>
-#include <sepol/constraint.h>
-#include <sepol/sidtab.h>
+/*
+ * Set the policy file to represent a binary policy memory image.
+ * Subsequent operations using the policy file will read and write
+ * the image located at the specified address with the specified length.
+ * If 'len' is 0, then merely compute the necessary length upon
+ * subsequent policydb write operations in order to determine the
+ * necessary buffer size to allocate.
+ */
+extern void sepol_policy_file_set_mem(sepol_policy_file_t *pf,
+ char *data,
+ size_t len);
/*
- * A datum type is defined for each kind of symbol
- * in the configuration data: individual permissions,
- * common prefixes for access vectors, classes,
- * users, roles, types, sensitivities, categories, etc.
+ * Get the size of the buffer needed to store a policydb write
+ * previously done on this policy file.
*/
+extern int sepol_policy_file_get_len(sepol_policy_file_t *pf,
+ size_t *len);
-/* Permission attributes */
-typedef struct perm_datum {
- uint32_t value; /* permission bit + 1 */
-#ifdef CONFIG_SECURITY_SELINUX_MLS
-#define MLS_BASE_READ 1 /* MLS base permission `read' */
-#define MLS_BASE_WRITE 2 /* MLS base permission `write' */
-#define MLS_BASE_READBY 4 /* MLS base permission `readby' */
-#define MLS_BASE_WRITEBY 8 /* MLS base permission `writeby' */
- uint32_t base_perms; /* MLS base permission mask */
-#endif
-} perm_datum_t;
+/*
+ * Set the policy file to represent a FILE.
+ * Subsequent operations using the policy file will read and write
+ * to the FILE.
+ */
+extern void sepol_policy_file_set_fp(sepol_policy_file_t *pf,
+ FILE *fp);
-/* Attributes of a common prefix for access vectors */
-typedef struct common_datum {
- uint32_t value; /* internal common value */
- symtab_t permissions; /* common permissions */
-} common_datum_t;
+/*
+ * Associate a handle with a policy file, for use in
+ * error reporting from subsequent calls that take the
+ * policy file as an argument.
+ */
+extern void sepol_policy_file_set_handle(sepol_policy_file_t *pf,
+ sepol_handle_t *handle);
-/* Class attributes */
-typedef struct class_datum {
- uint32_t value; /* class value */
- char *comkey; /* common name */
- common_datum_t *comdatum; /* common datum */
- symtab_t permissions; /* class-specific permission symbol table */
- constraint_node_t *constraints; /* constraints on class permissions */
-#ifdef CONFIG_SECURITY_SELINUX_MLS
- mls_perms_t mlsperms; /* MLS base permission masks */
-#endif
-} class_datum_t;
+/* Policydb public interfaces. */
-/* Role attributes */
-typedef struct role_datum {
- uint32_t value; /* internal role value */
- ebitmap_t dominates; /* set of roles dominated by this role */
- ebitmap_t types; /* set of authorized types for role */
-} role_datum_t;
+/* Create and free memory associated with a policydb. */
+extern int sepol_policydb_create(sepol_policydb_t **p);
+extern void sepol_policydb_free(sepol_policydb_t *p);
-typedef struct role_trans {
- uint32_t role; /* current role */
- uint32_t type; /* program executable type */
- uint32_t new_role; /* new role */
- struct role_trans *next;
-} role_trans_t;
+/* Legal types of policies that the policydb can represent. */
+#define SEPOL_POLICY_KERN 0
+#define SEPOL_POLICY_BASE 1
+#define SEPOL_POLICY_MOD 2
-typedef struct role_allow {
- uint32_t role; /* current role */
- uint32_t new_role; /* new role */
- struct role_allow *next;
-} role_allow_t;
+/*
+ * Range of policy versions for the kernel policy type supported
+ * by this library.
+ */
+extern int sepol_policy_kern_vers_min(void);
+extern int sepol_policy_kern_vers_max(void);
-/* Type attributes */
-typedef struct type_datum {
- uint32_t value; /* internal type value */
- unsigned char primary; /* primary name? */
-#ifndef __KERNEL__
- unsigned char isattr; /* is this a type attribute? */
- ebitmap_t types; /* types with this attribute */
-#endif
-} type_datum_t;
+/*
+ * Set the policy type as specified, and automatically initialize the
+ * policy version accordingly to the maximum version supported for the
+ * policy type.
+ * Returns -1 if the policy type is not legal.
+ */
+extern int sepol_policydb_set_typevers(sepol_policydb_t *p, unsigned int type);
-/* User attributes */
-typedef struct user_datum {
- uint32_t value; /* internal user value */
- ebitmap_t roles; /* set of authorized roles for user */
-#ifdef CONFIG_SECURITY_SELINUX_MLS
- mls_range_list_t *ranges; /* list of authorized MLS ranges for user */
-#endif
- unsigned defined;
-} user_datum_t;
+/*
+ * Set the policy version to a different value.
+ * Returns -1 if the policy version is not in the supported range for
+ * the (previously set) policy type.
+ */
+extern int sepol_policydb_set_vers(sepol_policydb_t *p, unsigned int vers);
+/*
+ * Read a policydb from a policy file.
+ * This automatically sets the type and version based on the
+ * image contents.
+ */
+extern int sepol_policydb_read(sepol_policydb_t *p,
+ sepol_policy_file_t *pf);
-#ifdef CONFIG_SECURITY_SELINUX_MLS
-/* Sensitivity attributes */
-typedef struct level_datum {
- mls_level_t *level; /* sensitivity and associated categories */
- unsigned char isalias; /* is this sensitivity an alias for another? */
-} level_datum_t;
+/*
+ * Write a policydb to a policy file.
+ * The generated image will be in the binary format corresponding
+ * to the policy version associated with the policydb.
+ */
+extern int sepol_policydb_write(sepol_policydb_t *p,
+ sepol_policy_file_t *pf);
-/* Category attributes */
-typedef struct cat_datum {
- uint32_t value; /* internal category bit + 1 */
- unsigned char isalias; /* is this category an alias for another? */
-} cat_datum_t;
-#endif
-
-/* Boolean data type */
-typedef struct cond_bool_datum {
- uint32_t value; /* internal type value */
- int state;
-} cond_bool_datum_t;
-
-struct cond_node;
-
-typedef struct cond_node cond_list_t;
-
/*
- * The configuration data includes security contexts for
- * initial SIDs, unlabeled file systems, TCP and UDP port numbers,
- * network interfaces, and nodes. This structure stores the
- * relevant data for one such entry. Entries of the same kind
- * (e.g. all initial SIDs) are linked together into a list.
+ * Extract a policydb from a binary policy memory image.
+ * This is equivalent to sepol_policydb_read with a policy file
+ * set to refer to memory.
*/
-typedef struct ocontext {
- union {
- char *name; /* name of initial SID, fs, netif, fstype, path */
- struct {
- uint8_t protocol;
- uint16_t low_port;
- uint16_t high_port;
- } port; /* TCP or UDP port information */
- struct {
- uint32_t addr;
- uint32_t mask;
- } node; /* node information */
- struct {
- uint32_t addr[4];
- uint32_t mask[4];
- } node6; /* IPv6 node information */
- } u;
- union {
- uint32_t sclass; /* security class for genfs */
- uint32_t behavior; /* labeling behavior for fs_use */
- } v;
- context_struct_t context[2]; /* security context(s) */
- security_id_t sid[2]; /* SID(s) */
- struct ocontext *next;
-} ocontext_t;
-
-typedef struct genfs {
- char *fstype;
- struct ocontext *head;
- struct genfs *next;
-} genfs_t;
-
-/* symbol table array indices */
-#define SYM_COMMONS 0
-#define SYM_CLASSES 1
-#define SYM_ROLES 2
-#define SYM_TYPES 3
-#define SYM_USERS 4
-#ifdef CONFIG_SECURITY_SELINUX_MLS
-#define SYM_LEVELS 5
-#define SYM_CATS 6
-#define SYM_BOOLS 7
-#define SYM_NUM 8
-#else
-#define SYM_BOOLS 5
-#define SYM_NUM 6
-#endif
-
-/* object context array indices */
-#define OCON_ISID 0 /* initial SIDs */
-#define OCON_FS 1 /* unlabeled file systems */
-#define OCON_PORT 2 /* TCP and UDP port numbers */
-#define OCON_NETIF 3 /* network interfaces */
-#define OCON_NODE 4 /* nodes */
-#define OCON_FSUSE 5 /* fs_use */
-#define OCON_NODE6 6 /* IPv6 nodes */
-#define OCON_NUM 7
-
-/* The policy database */
-typedef struct policydb {
- /* symbol tables */
- symtab_t symtab[SYM_NUM];
-#define p_commons symtab[SYM_COMMONS]
-#define p_classes symtab[SYM_CLASSES]
-#define p_roles symtab[SYM_ROLES]
-#define p_types symtab[SYM_TYPES]
-#define p_users symtab[SYM_USERS]
-#define p_levels symtab[SYM_LEVELS]
-#define p_cats symtab[SYM_CATS]
-#define p_bools symtab[SYM_BOOLS]
+extern int sepol_policydb_from_image(sepol_handle_t *handle,
+ void* data, size_t len,
+ sepol_policydb_t *p);
- /* symbol names indexed by (value - 1) */
- char **sym_val_to_name[SYM_NUM];
-#define p_common_val_to_name sym_val_to_name[SYM_COMMONS]
-#define p_class_val_to_name sym_val_to_name[SYM_CLASSES]
-#define p_role_val_to_name sym_val_to_name[SYM_ROLES]
-#define p_type_val_to_name sym_val_to_name[SYM_TYPES]
-#define p_user_val_to_name sym_val_to_name[SYM_USERS]
-#define p_sens_val_to_name sym_val_to_name[SYM_LEVELS]
-#define p_cat_val_to_name sym_val_to_name[SYM_CATS]
-#define p_bool_val_to_name sym_val_to_name[SYM_BOOLS]
- /* class, role, and user attributes indexed by (value - 1) */
- class_datum_t **class_val_to_struct;
- role_datum_t **role_val_to_struct;
- user_datum_t **user_val_to_struct;
-
- /* type enforcement access vectors and transitions */
- avtab_t te_avtab;
-
- /* bools indexed by (value - 1) */
- cond_bool_datum_t **bool_val_to_struct;
- /* type enforcement conditional access vectors and transitions */
- avtab_t te_cond_avtab;
- /* linked list indexing te_cond_avtab by conditional */
- cond_list_t* cond_list;
-
- /* role transitions */
- role_trans_t *role_tr;
-
- /* role allows */
- role_allow_t *role_allow;
-
- /* security contexts of initial SIDs, unlabeled file systems,
- TCP or UDP port numbers, network interfaces and nodes */
- ocontext_t *ocontexts[OCON_NUM];
-
- /* security contexts for files in filesystems that cannot support
- a persistent label mapping or use another
- fixed labeling behavior. */
- genfs_t *genfs;
-
-#ifdef CONFIG_SECURITY_SELINUX_MLS
- /* number of legitimate MLS levels */
- uint32_t nlevels;
-
- ebitmap_t trustedreaders;
- ebitmap_t trustedwriters;
- ebitmap_t trustedobjects;
-#endif
-
- unsigned policyvers;
-} policydb_t;
-
-extern int policydb_init(policydb_t * p);
-
-extern int policydb_index_classes(policydb_t * p);
-
-extern int policydb_index_bools(policydb_t * p);
-
-extern int policydb_index_others(policydb_t * p, unsigned int verbose);
-
-extern int constraint_expr_destroy(constraint_expr_t * expr);
-
-extern void policydb_destroy(policydb_t * p);
-
-extern int policydb_load_isids(policydb_t *p, sidtab_t *s);
-
-extern int policydb_context_isvalid(policydb_t *p, context_struct_t *c);
-
-/* A policy "file" may be a memory region referenced by a (data, len) pair
- or a file referenced by a FILE pointer. */
-struct policy_file {
-#define PF_USE_MEMORY 0
-#define PF_USE_STDIO 1
- unsigned type;
- char *data;
- size_t len;
- FILE *fp;
-};
-
-extern int policydb_read(policydb_t * p, struct policy_file * fp, unsigned int verbose);
-
-extern int policydb_write(struct policydb *p, struct policy_file *pf);
-
-#define PERM_SYMTAB_SIZE 32
-
-/* Identify specific policy version changes */
-#define POLICYDB_VERSION_BASE 15
-#define POLICYDB_VERSION_BOOL 16
-#define POLICYDB_VERSION_IPV6 17
-#define POLICYDB_VERSION_NLCLASS 18
-
-/* Range of policy versions we understand*/
-#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
-#define POLICYDB_VERSION_MAX POLICYDB_VERSION_NLCLASS
-
/*
- * Set policy version for writing policies.
- * May be any value from POLICYDB_VERSION_MIN to POLICYDB_VERSION_MAX.
- * If not set, then policydb_write defaults to the max.
+ * Generate a binary policy memory image from a policydb.
+ * This is equivalent to sepol_policydb_write with a policy file
+ * set to refer to memory, but internally handles computing the
+ * necessary length and allocating an appropriately sized memory
+ * buffer for the caller.
*/
-extern int sepol_set_policyvers(unsigned int policyvers);
+extern int sepol_policydb_to_image(sepol_handle_t *handle,
+ sepol_policydb_t *p,
+ void **newdata,
+ size_t *newlen);
-#define POLICYDB_CONFIG_MLS 1
+extern int sepol_policydb_mls_enabled(
+ const sepol_policydb_t* p);
-#define OBJECT_R "object_r"
-#define OBJECT_R_VAL 1
-
-#define POLICYDB_MAGIC SELINUX_MAGIC
-#define POLICYDB_STRING "SE Linux"
-
-#endif /* _POLICYDB_H_ */
-
-/* FLASK */
-
+#endif
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/sepol.h#2 (text+ko) ====
@@ -1,21 +1,28 @@
#ifndef _SEPOL_H_
#define _SEPOL_H_
-#include <sys/types.h>
+#include <stddef.h>
+#include <stdio.h>
-/* Given an existing binary policy (starting at 'data', with length 'len')
- and a boolean configuration file named by 'boolpath', rewrite the binary
- policy for the boolean settings in the boolean configuration file.
- The binary policy is rewritten in place in memory.
- Returns 0 upon success, or -1 otherwise. */
-extern int sepol_genbools(void *data, size_t len, char *boolpath);
+#include <sepol/user_record.h>
+#include <sepol/context_record.h>
+#include <sepol/iface_record.h>
+#include <sepol/port_record.h>
+#include <sepol/boolean_record.h>
+#include <sepol/node_record.h>
-/* Given an existing binary policy (starting at 'data', with length 'len')
- and boolean settings specified by the parallel arrays ('names', 'values')
- with 'nel' elements, rewrite the binary policy for the boolean settings.
- The binary policy is rewritten in place in memory.
- Returns 0 upon success or -1 otherwise. */
-extern int sepol_genbools_array(void *data, size_t len, char **names, int *values, int nel);
+#include <sepol/booleans.h>
+#include <sepol/interfaces.h>
+#include <sepol/ports.h>
+#include <sepol/nodes.h>
+#include <sepol/users.h>
+#include <sepol/handle.h>
+#include <sepol/debug.h>
+#include <sepol/policydb.h>
+#include <sepol/module.h>
+#include <sepol/context.h>
+/* Set internal policydb from a file for subsequent service calls. */
+extern int sepol_set_policydb_from_file(FILE *fp);
#endif
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/services.h#2 (text+ko) ====
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/sidtab.h#2 (text+ko) ====
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/include/sepol/symtab.h#2 (text+ko) ====
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/Makefile#3 (text+ko) ====
@@ -5,22 +5,13 @@
LIBVERSION = 1
-# Set to y for MLS
-MLS=n
-
-.if $(MLS) == "y"
-OPTIONS = -DCONFIG_SECURITY_SELINUX_MLS
-.else
-OPTIONS =
-.endif
-
LIBA=libsepol.a
TARGET=libsepol.so
LIBSO=$(TARGET).$(LIBVERSION)
OBJS= $(patsubst %.c,%.o,$(wildcard *.c))
LOBJS= $(patsubst %.c,%.lo,$(wildcard *.c))
-CFLAGS = -Wall $(OPTIONS)
-override CFLAGS += -I. -I../include
+CFLAGS ?= -Wall -W -Wundef -Wmissing-noreturn -Wmissing-format-attribute
+override CFLAGS += -I. -I../include -D_GNU_SOURCE
all: $(LIBA) $(LIBSO)
@@ -29,14 +20,14 @@
ranlib $@
$(LIBSO): $(LOBJS)
- $(CC) $(LDFLAGS) -shared -o $@ $^ -Wl,-soname,$(LIBSO),--version-script=libsepol.map
+ $(CC) $(LDFLAGS) -shared -o $@ $^ -Wl,-soname,$(LIBSO),--version-script=libsepol.map,-z,defs
ln -sf $@ $(TARGET)
%.o: %.c
$(CC) $(CFLAGS) -c -o $@ $<
%.lo: %.c
- $(CC) $(CFLAGS) -fPIC -c -o $@ $<
+ $(CC) $(CFLAGS) -fpic -DSHARED -c -o $@ $<
install: all
test -d $(LIBDIR) || install -m 755 -d $(LIBDIR)
@@ -45,6 +36,9 @@
install -m 755 $(LIBSO) $(SHLIBDIR)
cd $(LIBDIR) && ln -sf ../../`basename $(SHLIBDIR)`/$(LIBSO) $(TARGET)
+relabel:
+ /sbin/restorecon $(SHLIBDIR)/$(LIBSO)
+
clean:
- rm -f $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(TARGET)
+ -rm -f $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(TARGET)
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/av_permissions.h#2 (text+ko) ====
@@ -1,2 +1,3 @@
/* Used by security_compute_av. */
#define PROCESS__TRANSITION 0x00000002UL
+#define PROCESS__DYNTRANSITION 0x00800000UL
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/libsepol/src/avtab.c#4 (text+ko) ====
@@ -5,10 +5,26 @@
*
* Added conditional policy language extensions
*
+ * Updated: Red Hat, Inc. James Morris <jmorris at redhat.com>
+ *
+ * Code cleanup
+ *
* Copyright (C) 2003 Tresys Technology, LLC
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation, version 2.
+ * Copyright (C) 2003 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/
/* FLASK */
@@ -18,9 +34,10 @@
*/
#include <stdlib.h>
-#include <sepol/avtab.h>
-#include <sepol/policydb.h>
+#include <sepol/policydb/avtab.h>
+#include <sepol/policydb/policydb.h>
+#include "debug.h"
#include "private.h"
#define AVTAB_HASH(keyp) \
@@ -30,7 +47,7 @@
AVTAB_HASH_MASK)
static avtab_ptr_t
- avtab_insert_node(avtab_t *h, int hvalue, avtab_ptr_t prev, avtab_ptr_t cur, avtab_key_t *key, avtab_datum_t *datum)
+ avtab_insert_node(avtab_t *h, int hvalue, avtab_ptr_t prev, avtab_key_t *key, avtab_datum_t *datum)
{
avtab_ptr_t newnode;
newnode = (avtab_ptr_t) malloc(sizeof(struct avtab_node));
@@ -57,6 +74,7 @@
{
int hvalue;
avtab_ptr_t prev, cur, newnode;
+ uint16_t specified = key->specified & ~(AVTAB_ENABLED|AVTAB_ENABLED_OLD);
if (!h)
return -ENOMEM;
@@ -68,7 +86,7 @@
if (key->source_type == cur->key.source_type &&
key->target_type == cur->key.target_type &&
key->target_class == cur->key.target_class &&
- (datum->specified & cur->datum.specified))
+ (specified & cur->key.specified))
return -EEXIST;
if (key->source_type < cur->key.source_type)
break;
@@ -81,7 +99,7 @@
break;
}
- newnode = avtab_insert_node(h, hvalue, prev, cur, key, datum);
+ newnode = avtab_insert_node(h, hvalue, prev, key, datum);
if(!newnode)
return -ENOMEM;
@@ -97,6 +115,7 @@
{
int hvalue;
avtab_ptr_t prev, cur, newnode;
+ uint16_t specified = key->specified & ~(AVTAB_ENABLED|AVTAB_ENABLED_OLD);
if (!h)
return NULL;
@@ -107,7 +126,7 @@
if (key->source_type == cur->key.source_type &&
key->target_type == cur->key.target_type &&
key->target_class == cur->key.target_class &&
- (datum->specified & cur->datum.specified))
+ (specified & cur->key.specified))
break;
if (key->source_type < cur->key.source_type)
break;
@@ -119,37 +138,17 @@
key->target_class < cur->key.target_class)
break;
}
- newnode = avtab_insert_node(h, hvalue, prev, cur, key, datum);
+ newnode = avtab_insert_node(h, hvalue, prev, key, datum);
return newnode;
}
-/* Unlike avtab_insert(), this function stores a caller-provided parse_context pointer, AND
- * allow multiple insertions of the same key/specified mask into the table, AND returns
- * a pointer to the new node added, all as needed by the conditional avtab.
- */
-avtab_ptr_t
- avtab_insert_with_parse_context(avtab_t *h, avtab_key_t *key, avtab_datum_t *datum, void *parse_context)
-{
- avtab_ptr_t newnode;
-
- if (!h)
- return NULL;
-
- newnode = avtab_insert_nonunique(h, key, datum);
- if(!newnode)
- return NULL;
-
- newnode->parse_context = parse_context;
-
- return newnode;
-}
-
avtab_datum_t *
- avtab_search(avtab_t * h, avtab_key_t * key, int specified)
+ avtab_search(avtab_t * h, avtab_key_t * key)
{
int hvalue;
avtab_ptr_t cur;
+ uint16_t specified = key->specified & ~(AVTAB_ENABLED|AVTAB_ENABLED_OLD);
if (!h)
@@ -160,7 +159,7 @@
>>> TRUNCATED FOR MAIL (1000 lines) <<<
More information about the trustedbsd-cvs
mailing list